Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
AnalysisAI
IBM Aspera Shares versions 1.9.9 through 1.11.0 fail to invalidate user sessions following password reset operations, enabling authenticated users to maintain access to compromised accounts and impersonate other users. The vulnerability requires prior authentication and allows limited confidentiality and integrity impact through account takeover. IBM has released a patch to address this session management defect.
Technical ContextAI
The vulnerability stems from improper session handling in IBM Aspera Shares, a file transfer and collaboration platform. After a user resets their password, the application fails to terminate active sessions associated with that account (CWE-613: Insufficient Session Expiration). This is a classic session fixation/persistence flaw where session tokens remain valid despite credential changes. An authenticated attacker who gains knowledge of another user's credentials or who obtains a valid session token before password reset can continue using that session to perform actions as the legitimate user. The affected CPE is cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:* for versions 1.9.9 through 1.11.0.
RemediationAI
IBM has released a patch available through their support portal. Organizations should upgrade IBM Aspera Shares to the patched version specified in the vendor advisory at https://www.ibm.com/support/pages/node/7267848. As an immediate mitigation pending patch deployment, administrators should enforce logout of all active sessions when initiating password resets for user accounts, consider implementing additional session monitoring and re-authentication requirements for sensitive operations, and audit session logs for suspicious cross-user activity patterns that may indicate session hijacking attempts.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209178
GHSA-4rp7-5w2x-wwvh